NIST takes on risk management and PIV card security

Three new publications address certification, accreditation and other security issues

By William Jackson

Feb 24, 2010

The National Institute of Standards and Technology has released updated versions of three publications with guidelines for securing government information systems and protecting data on Personal Identity Verification cards.

Special Publication 800-37, Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” caps a three-year effort to harmonize IT certification and accreditation across the civilian, defense and intelligence communities. It is the second in a series of publications being developed by a Joint Task Force Transformation Initiative, a partnership between NIST, the Office of the Director of National Intelligence, the Defense Department and the Committee on National Security Systems (CNSS) to create a common information security framework for agencies and contractors.

SP 800-73-3, “Interfaces for Personal Identity Verification,” is published in four parts and includes new optional features for PIV cards including on-card retention of retired Key Management keys and corresponding X.509 certificates for decrypting data encryption keys; the use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-2; and provisions for Non-Federal Issuer credentials.

For the past three years, NIST has been working in partnership with ODNI, DOD and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The first publication produced under the Joint Task Force was Revision 3 of SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations.” The task force released that report in July, and created a common security control catalog for the government and private-sector security communities.

NIST called the second publication, the revised version of SP 800-53, historic in that it unified security controls, reflecting the security requirements of both the national security community and the rest of government. Greater emphasis now is placed on three critical areas:

Building information security capabilities into systems through the application of state-of-the-practice management, operational and technical security controls.

Maintaining awareness of the security state of systems on an ongoing basis though enhanced monitoring.

Understanding and accepting the risk to operations and assets, individuals, other organizations and the nation posed by the use of these systems.

Homeland Security Presidential Directive 12 mandated the creation of new standards for interoperable identity credentials for physical and logical access to Federal government locations and systems. Those standards are implemented in the PIV Card, the civilian counterpart of the military’s Common Access Card. SP 800-73-3 defines interfaces for the card and is being published in four parts.

The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in SP800-78-2 as a key agreement scheme for the PIV card.

The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.

For symmetric authentication purposes (challenge and response), the Cipher Block Chaining mode of encryption is redundant to the Electronic Code Bock mode of encryption. To remove the redundant implementation, CBC has been discontinued in SP 800-78-2.